Table of Contents

Samba version-2

This documentation regards samba 2 and samba 3 running samba2-compatibility-mode. We used to configure samba like so, however nowadays this part of the documentation is obsolete and non-maintained!

Install the software 

apt-get install samba samba-doc

/etc/samba/smb.conf 

 [global]
 ldap suffix = dc=intra,dc=example,dc=com
 ldap admin dn = cn=admin,dc=intra,dc=example,dc=com
 ldap ssl = start_tls
 ldap passwd sync = yes
 ldap delete dn = no
 ldap user suffix = ou=People
 ldap group suffix = ou=Groups
 ldap machine suffix = ou=Computers
 workgroup = hannibal
 server string = %h server (Samba %v)
 netbios name = fileserver
 wins support = yes
 dns proxy = yes
 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
 security = user
 encrypt passwords = true
 passdb backend = ldapsam:ldap://ldap.intra.example.com
 obey pam restrictions = no
 guest account = nobody
 invalid users = root
 unix password sync = yes
 passwd program = "/opt/ldapmin/sambaldapscripts/smbldap-passwd.pl -o %u"
 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
 add machine script = "/opt/ldapmin/sambaldapscripts/smbldap-useradd.pl -w -d /dev/null -s /bin/false %u ; sleep 5"
 load printers = yes
 printcap name = /etc/printcap
 socket options = TCP_NODELAY
 local master = yes
 os level = 255
 domain master = yes
 preferred master = yes
 domain logons = yes
 logon path =
 [netlogon]
   comment = Network Logon Service
   path = /home/system/netlogon
   guest ok = yes
   writable = no
   share modes = no
 [print$]
   comment = Network Printer Drivers
   path = /home/system/printers
   write list = @"Domain Admins"
   force group = "Domain Users"
   create mode = 660
   directory mode = 770
   browsable = yes
   read only = yes
   guest ok = yes
 [homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   valid users = %S
   create mode = 0664
   directory mode = 0775

Specify the password to be used with the ldap admin dn. Note that the password is stored in /var/lib/samba/secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well. 

smbpasswd -w rootdnpasswordhere

Restart the Samba-server 

/etc/init.d/samba restart

Smbldap-tools

We use these tools in order to manage users and groups in LDAP. The samba-doc package (which we already installed) provides the smbldap-tools.

The directory from where we want to run the scripts 

mkdir -p /opt/ldapmin/sambaldapscripts
cd /opt/ldapmin/sambaldapscripts
cp -a /usr/share/doc/samba-doc/examples/LDAP/smbldap-tools/* .
gunzip *.gz

These perl-modules should be in the perl module include path. 

ln -s /opt/ldapmin/sambaldapscripts/smbldap_conf.pm /usr/share/perl5/smbldap_conf.pm
ln -s /opt/ldapmin/sambaldapscripts/smbldap_tools.pm /usr/share/perl5/smbldap_tools.pm

Build mkntpwd from the sources within the smbldap-tools (we do this on our development machine). 

cd mkntpwd
gunzip *.gz
make
cp mkntpwd /opt/ldapmin/sambaldapscripts

The smbldap-tools have no execute rights by default. And we want to be able to add users via Samba Smbldap_conf.pm contains the ldap admin dn password! 

chmod 750 smbldap_conf.pm *.pl
chgrp 512 smbldap_conf.pm *.pl # (512 = 0x200 = Domain Admins)

Modify /opt/ldapmin/sambaldapscripts/smbldap_conf.pm to your environment

(parts of) /opt/ldapmin/sambaldapscripts/smbldap_conf.pm 

....
$UID_START = 1000;
$GID_START = 1000;
# Put your own SID
# to obtain this number do: "net getlocalsid"
$SID='S-1-5-21-3097403303-883171153-4164530297';
$slaveLDAP = "ldap.intra.example.com";
$slavePort = "389";
$masterLDAP = "ldap.intra.example.com";
$masterPort = "389";
$ldapSSL = "1";
$suffix = "dc=intra,dc=example,dc=com";
$usersou = q(People);
$usersdn = "ou=$usersou,$suffix";
$computersou = q(Computers);
$computersdn = "ou=$computersou,$suffix";
$groupsou = q(Groups);
$groupsdn = "ou=$groupsou,$suffix";
$scope = "sub";
$hash_encrypt="SMD5";
$binddn = "cn=admin,$suffix";
$bindpasswd = "rootdnpassword";
....
$_userLoginShell = q(/bin/false);
$_userHomePrefix = q(/home);
$_userGecos = q(Hannibal User);
$_defaultUserGid = 513;
$_defaultComputerGid = 553;
....
$_userSmbHome = q(\\\\fileserver\\homes);
$_userProfile = q(\\\\fileserver\\profiles\\);
$_userHomeDrive = q(P:);
....
$with_smbpasswd = 0;
$smbpasswd = "/usr/bin/smbpasswd";
$mk_ntpasswd = "/opt/ldapmin/sambaldapscripts/mkntpwd";
....

Don't forget to put your machine's SID in smbldap_conf.pm!!! The samba package needs to be installed for this to work properly as the samba package provides the 'net' command.

Put the result of this command in $SID 

net rpc info
net getlocalsid

Add perl LDAP and perl SSL stuff in order for smbldap-tools to connect. 

apt-get install libnet-ldap-perl libnet-ssleay-perl libio-socket-ssl-perl

Populate the LDAP-database 

cd /opt/ldapmin/sambaldapscripts
./smbldap-populate.pl

Use this account in order to add machineaccounts to your domain 

./smbldap-useradd.pl -d /dev/null -s /bin/false admsamba
./smbldap-usermod.pl -g 0 -u 0 admsamba
./smbldap-passwd.pl admsamba

Accounts for your users can be added like so 

./smbldap-useradd.pl -a -d  /home/firstuser -m -s /bin/bash firstuser
./smbldap-passwd.pl firstuser

Note: if you use the -P option of the smbldap-tools in order to automatically endup at smbldap-passwd while adding or modifying a user, you have to change the default path to smbldap-passwd. At this moment the authors of the smbldap-tools hardcoded the path to /usr/local/sbin.